ClipBucket, Category Access Control Bypass (Medium)

Listen to this Post

The vulnerability resides in the `categories.json.php` API endpoint, which fails to enforce user group–based restrictions when listing categories. In the default request (no `?user=` parameter), the flag `$sameUserGroupAsMe` remains false, causing the group‑filtering logic in `category.php` to be completely skipped. Consequently, all non‑private categories—including those restricted to specific user groups via the `categories_has_users_groups` table—are exposed to unauthenticated users. When the `?user=` parameter is supplied, a type‑confusion bug occurs: the boolean `true` is passed to UserGroups::getUserGroups(), which is cast to integer `1` in the SQL prepared statement. This fetches the admin user’s (user_id=1) group memberships, effectively applying admin‑level visibility to any requester. Additionally, `getTotalCategories()` lacks any filtering parameter, so the total count also reflects the unfiltered set. The endpoint is publicly accessible via `.htaccess` rewrite and requires no authentication.

dailycve form (3 words max per line)

Platform: ClipBucket
Version: Multiple versions
Vulnerability: Category group bypass
Severity: Medium
Date: 2026-03-31

Prediction: Patch by 2026-04-15

Analytics under What Undercode Say:

List all categories without any group filtering
curl -s 'https://target/categories.json' | jq '.rows[] | {id, name, private, users_groups_ids_array}'
Using ?user= triggers admin-group filter instead
curl -s 'https://target/categories.json?user=1' | jq '.rows[] | {id, name, private, users_groups_ids_array}'
Count total categories (unfiltered)
curl -s 'https://target/categories.json?totalOnly=true'

how Exploit:

  1. Send GET request to `/categories.json` with no authentication.
  2. Parse JSON output to retrieve all non‑private categories and their `users_groups_ids_array` values.
  3. Optionally use `?user=1` to see categories visible to admin groups.
  4. Enumerate category metadata (names, descriptions, icons) to map internal access controls.

Protection from this CVE

  • Replace the boolean `$sameUserGroupAsMe` in `categories.json.php` with the current user’s ID (User::getId()) or `-1` for unauthenticated users.
  • Modify `category.php:getAllCategories()` to always apply the group filter, using the provided user ID to retrieve actual group memberships.
  • Update `getTotalCategories()` to accept and honor the same user‑group filtering logic.
  • Validate that `?user=` parameter expects a numeric user ID and never interprets booleans.

Impact

Unauthenticated attackers can enumerate all non‑private categories, including those restricted to specific user groups. The response discloses category names, descriptions, icons, and the exact group assignments (users_groups_ids_array). This information leak reveals internal access‑control structures and can be used to target further bypass attempts on restricted video content. Severity is Medium due to metadata exposure rather than direct content compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top